They are effectively the same. https://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/csrf.html#LegacySessionCSRFStoragePolicy.get_csrf_token
In your code, you have configured two session factories. I assume you get the CSRF unique to each factory. ¯\_(ツ)_/¯ --steve On 5/2/21 10:25 AM, Laurent Daverio wrote: > So, if I follow this line of reasoning, the way to get the same value > as in the template is to use : > > from pyramid.csrf import get_csrf_token > print get_csrf_token(request) > > and *not* : > > print request.session.get_csrf_token() > > Le dim. 2 mai 2021 à 19:11, Laurent Daverio <[email protected]> a écrit : >> >> OK, I've been able to nail it down on a simple example : depending on >> the CSRF storage policy I use, "request.session.get_csrf_token()" >> (called from python or a template) and "get_csrf_token()" (called from >> a template) return the same value *or not*. >> >> - no storage policy => ok >> - LegacySessionCSRFStoragePolicy => ok >> - CookieCSRFStoragePolicy => ko >> >> I'm attaching my example, I called it "onefile.py", although I needed >> two files actually (one python file + one mako template). Sorry ;) >> >> Le mer. 28 avr. 2021 à 22:32, Laurent Daverio <[email protected]> a écrit : >>> >>> Thank you Steve. I'll have to think about it, not that the code is >>> secret, just a matter of knowing what to post to be relevant. >>> >>> Le mer. 28 avr. 2021 à 22:10, Steve Piercy >>> <[email protected]> a écrit : >>>> >>>> It's difficult to say without your example. I've been using CSRF as shown >>>> in the Deform demo without any issues. >>>> >>>> --steve >>>> >>>> >>>> On 4/28/21 10:32 AM, Laurent Daverio wrote: >>>>> Hello List, >>>>> >>>>> I'd like to report a problem I've just encountered, occurring betwen >>>>> Pyramid's CSRF protection and Deform. >>>>> >>>>> Basically, I have a Pyramid 2.0 web app configured along the lines of >>>>> the "URL dispatch wiki tutorial" >>>>> (https://docs.pylonsproject.org/projects/pyramid/en/2.0-branch/tutorials/wiki2/authentication.html), >>>>> with some Deform forms in it. >>>>> >>>>> The Deform Demo >>>>> (https://deformdemo.pylonsproject.org/pyramid_csrf_demo/) shows how to >>>>> use a deferred value to create hidden field "csrf_token" in the >>>>> generated forms. >>>>> >>>>> But there's a problem: the token generated that way doesn't have the >>>>> same value as when I directly call get_csrf_token() in a template. >>>>> >>>>> As I don't have the time/energy to fully investigate the problem right >>>>> now, I think I will just use a workaround: as I'm using Diazo as a >>>>> theming engine (awesome tech, btw), I think I will add a rule to >>>>> inject the token into every form. Should work. >>>>> >>>>> Still, I wanted to take the time to report the problem, in case it >>>>> could be useful. >>>>> >>>>> Laurent. >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "pylons-discuss" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/pylons-discuss/44979a98-12ae-239e-8478-c2323aecfaf1%40gmail.com. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/31b5bea7-02ec-772e-06b0-56e5a5150333%40gmail.com.
